Security Reminder

We sure do have a lot of rules and guidelines threads - find them all here, and please make sure you've read them! Also, community-wide announcements (that aren't major ZDoom News) go here as well.

Security Reminder

Postby Rachael » Thu Jan 03, 2019 8:28 pm

This post is just a friendly reminder, to everyone, to PLEASE keep ALL of your accounts secure across every site you use, in order to prevent unwanted access by outsiders.

No administrator for ANY reputable site will *ever* ask for your password directly, and neither will ZDoom.

Additionally, please *never* use the same password for all sites. If you need a way to keep track of your passwords on different sites, consider a utility like KeePass and never give away your master password.

Also, be vigilant and keep malware off of your machine. Remember, Windows is not the only platform that can contain malware, especially these days where scripting technologies and virtual machines allow for malware to be hosted on literally any platform and even be fully cross-platform compatible. Yes - that means your Linux, your Raspberry Pi, your Android Phone, your iPhone, your iPod, and your Macintosh can all have malware on them, and it's important to protect yourself.

Keep in mind that for a multitude of reasons, pass phrases are far more secure than passwords. For example: "My_D0g_I$_AweSom3" (don't actually use that, obviously, it's just an example of what you should go for with passwords - note the use of mixed case and unpredictable punctuation/numeral replacements)

Additionally, for any sites that offer it, if you have a smart phone, always enable 2-factor authentication.

Never give your password for ANY site to another person. Even if they are an administrator/moderator!

If you believe your password is weak, PLEASE PLEASE PLEASE take this opportunity and change it to something stronger. Put it someplace safe if you think you'll forget it. It's really important that you, and only you, have access to your account. Thank you!
User avatar
Rachael
Webmaster
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: Security Reminder

Postby Rachael » Fri Jan 18, 2019 9:10 pm

Hello, everyone - A massive data breach dubbed "collection #1" occurred. I have been trying to figure out what websites were hacked for this one - nothing I've found on it so far is specific about where the data has come from. (So far it appears ZDoom is unaffected) Nevertheless, it's a good time to remind you all, don't share your passwords with anyone, use a different password for every site, and since every site and its grandmother these days requires you to create an account for some ungodly reason use a password manager (that's not an excel spreadsheet!).

If you want to learn more about this one, simply type "collection #1" into Google and you'll get plenty of results on it. I've included a link to an article discussing it as well. And always, stay safe, and have fun!
https://www.pcmag.com/news/366043/colle ... n-email-ad

---
Thanks Ghastly from the ZDoom Discord server also for mentioning - you can also check the site https://haveibeenpwned.com/ and put your email there, to see if your email has been affected by this breach - or any past ones.

Also thanks to Tristan885 - he mentioned you can use the same site to check to see if your password has been breached. https://haveibeenpwned.com/Passwords - probably useful if you use the same password on every site, but personally, I don't plan to be putting my password there to check - still, though, if you're brave, you can do it, or if you change it to something else right after, that will work too :P

(If you wish to discuss this, I've unlocked the topic)
User avatar
Rachael
Webmaster
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: Security Reminder

Postby Lilybeth Fanwell » Fri Jan 18, 2019 11:08 pm

First question. So guests can post on ZDoom forums now? Interesting decision...

Anyways (thanks to a number of world events over the years [just my personal opinion]), things are raining down hard for them websites. I guess the only thing is to check your account info from now infected websites, if you dare. Safeguarding your email should have already been presumed. Your website accounts is in question of jeopardy. If time permits, you can still access the accounts before any damage has been done. Otherwise, they are at risk in the least of being snooped.

Have a good day.
Lilybeth Fanwell
 

Re: Security Reminder

Postby Princess Viscra Maelstrom » Sat Jan 19, 2019 9:26 am

it seems my main account was part of that breach, should i be concerned?
User avatar
Princess Viscra Maelstrom
 
Joined: 04 Dec 2008
Location: plergleland

Re: Security Reminder

Postby Rachael » Sat Jan 19, 2019 9:30 am

Yes - make sure to change your password on all websites that use that email - and if you need to, use a password manager like KeePass to make them all unique to every site. If you already did that, there's nothing more you can do, short of abandoning that email address entirely.
User avatar
Rachael
Webmaster
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: Security Reminder

Postby Enjay » Sat Jan 19, 2019 9:40 am

Rachael wrote:Also thanks to Tristan885 - he mentioned you can use the same site to check to see if your password has been breached. https://haveibeenpwned.com/Passwords - probably useful if you use the same password on every site, but personally, I don't plan to be putting my password there to check - still, though, if you're brave, you can do it, or if you change it to something else right after, that will work too :P

I'm not sure how useful that site is. I just tried a whole bunch of random passwords (some of them very random). Only one came up as never having been seen before - and it wasn't even one of the more obscure ones.
User avatar
Enjay
Everyone is a moon, and has a dark side which he never shows to anybody. Twain
 
 
 
Joined: 15 Jul 2003
Location: Scotland

Re: Security Reminder

Postby Rachael » Sat Jan 19, 2019 9:57 am

Try typing "God" in there. (AFAIK It's one of the ones on the list for common passwords for hackers and pen testers) That one comes up just fine.

I cannot assert how useful that tool is, and as I said, I will not use it myself because that requires giving passwords to a site that I have no idea what they will do with it. But if you trust the site, then it seems useful enough, indeed - though you are right to question how useful it really is, since it is essentially asking you for passwords and that gives the site owner the ability to build a brute force database or something else equally nefarious.

Nevertheless, if everything is taken at face value (and so far I haven't seen actual reason not to), the database they are using only checks against the existing compromises that the site has chronicled, so if a common password is coming up as "not pwned" it just means it hasn't shown up in a password dump yet.
User avatar
Rachael
Webmaster
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: Security Reminder

Postby Graf Zahl » Sat Jan 19, 2019 10:02 am

Maybe that's because so many people use "password" as their password or some date with personal significance. :twisted:

Of all the passwords I use only two came back as potentially compromised, both for accounts I registered under a fake name on some sites where I didn't want to disclose personal information and where I didn't care about security.

Rachael wrote:Try typing "God" in there. (AFAIK It's one of the ones on the list for common passwords for hackers and pen testers) That one comes up just fine.

I cannot assert how useful that tool is, and as I said, I will not use it myself because that requires giving passwords to a site that I have no idea what they will do with it. But if you trust the site, then it seems useful enough, indeed - though you are right to question how useful it really is, since it is essentially asking you for passwords and that gives the site owner the ability to build a brute force database or something else equally nefarious.


According to the fine print the entire password hashing is done client-side in Javascript - the process is explained in detail in the FAQ section. If it wasn't I'd guess that some big red warning signs have already sprung up somewhere else on the internet because that'd be one hell of a phishing scheme otherwise.
User avatar
Graf Zahl
Lead GZDoom Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Security Reminder

Postby Apeirogon » Sat Jan 19, 2019 10:16 am

That strange...from all my emails it found compromised only those which I dont actively use, and which I used only on several different sites.
The one I use now, last few year, dont seems to be compromise, despite fact that I actively use it to register at some sites which marked as "hacked".
Apeirogon
I have a strange sense of humour
 
Joined: 12 Jun 2017

Re: Security Reminder

Postby Rachael » Sat Jan 19, 2019 10:34 am

If you registered to a site after it has experienced a data breach, it has to experience another data breach in order for your data to be compromised. In other words - data breaches only affect the data that was available at the time of the breach - not new data - unless the breach is still open or it has been breached again.

And normally, experiencing a data breach causes sites and the organizations that run them to be a little bit more careful about safeguarding your data in order to prevent that second breach. It's hugely embarassing, and for corporations, it's really expensive.

Nothing can change the fact that a site "was" breached at one time - that will remain on a corporation's public reputation until the end of time - but if they handled the breach correctly, then your account that was registered *after* the site was hacked will be safe.
User avatar
Rachael
Webmaster
 
Joined: 13 Jan 2004
Discord: Rachael#3767
Twitch ID: madamerachelle
Github ID: madame-rachelle

Re: Security Reminder

Postby Enjay » Sat Jan 19, 2019 11:58 am

Maybe, just by chance, I typed some common keystrokes. I didn't actually try any of my own passwords.

These made me laugh though:
1234
This password has been seen 1,256,907 times before


password
This password has been seen 3,645,804 times before
User avatar
Enjay
Everyone is a moon, and has a dark side which he never shows to anybody. Twain
 
 
 
Joined: 15 Jul 2003
Location: Scotland

Re: Security Reminder

Postby Graf Zahl » Sat Jan 19, 2019 1:12 pm

Scary, isn't it...? :?
That's roughly 0.6% of all breached passwords being 'password'...
User avatar
Graf Zahl
Lead GZDoom Developer
 
Joined: 19 Jul 2003
Location: Germany

Re: Security Reminder

Postby Princess Viscra Maelstrom » Sat Jan 19, 2019 1:16 pm

do i have to worry about the password of my email itself, or just everything connected to it?
User avatar
Princess Viscra Maelstrom
 
Joined: 04 Dec 2008
Location: plergleland

Re: Security Reminder

Postby wildweasel » Sat Jan 19, 2019 1:42 pm

Viscra Maelstrom wrote:do i have to worry about the password of my email itself, or just everything connected to it?

If that password and email appear together at all, change the passwords everywhere. Because of the nature of the breach (it cannot be verified what all databases are present in it), it's likely that anybody with that information will try that combination anywhere they can, including emails (most likely to be attempted).
User avatar
wildweasel
「お前はもうトースト」[you are already toast.]
Moderator Team Lead
 
Joined: 15 Jul 2003

Re: Security Reminder

Postby Princess Viscra Maelstrom » Sat Jan 19, 2019 2:20 pm

damn. i didn't really want to change my email password, but i guess i have no choice now...
User avatar
Princess Viscra Maelstrom
 
Joined: 04 Dec 2008
Location: plergleland

Next

Return to Rules and Forum Announcements

Who is online

Users browsing this forum: No registered users and 0 guests